Follow Us

Industry: Financial Services

With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.

Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA). The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.

The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.

Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.

In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.

Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.

At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The “purpose and intent” of the law is to “establish[] standards for data security and investigation and notification of data security applicable to insurance providers.”

The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.

Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.

In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.

Yesterday, New York’s top financial regulator asked state-chartered banks and insurers to take immediate precautions to protect consumers and the financial markets “in light of the cybersecurity attack” at Equifax Inc.

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.” According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

As we have discussedin previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States. Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses. Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” That leaves just about everyone asking: What should we do?

In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.” A copy of the summary is available here. This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

A federal appeals court earlier this week dealt a blow to healthcare insurer CareFirst, Inc., concluding that a group of customers have the right to pursue a class action data breach lawsuit based on a 2014 cyberattack.

Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017. But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year. Companies covered by the regulation must comply with the first round of requirements by August 28th.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice. They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

New survey reports less than half of financial firms will meet deadline

by Kade N. Olsen and Craig A. Newman on June 16, 2017

A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state.

For healthcare insurers that operate in New York, data security regulation has gotten more complicated. The U.S. Department of Health and Human Services’ Office for Civil Rights has been the industry’s primary data security regulator.

New York’s top banking regulator would like the state’s new sweeping – and highly detailed – cybersecurity regulation to serve as a national model for insurance companies in safeguarding their institutions from cybercrime.

New York State Department of Financial Services Superintendent Maria T. Vullo is scheduled to discuss the state’s new “first in the nation” cybersecurity regulation later this week at the National Association of Insurance Commissioners annual meeting in Denver.

Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiplerevisions. But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Today, Reuters reported that the New York Department of Financial Services (“DFS”) will delay the effective date of its new cybersecurity regulation. According to a “person familiar with the matter,” the DFS will publish a new version of the cyber security regulation on December 28, 2016, and the effective date for the rule will now be March 1, 2017.

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company. Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom.

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment. In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

About Our Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.